Open Bug 1914999 Opened 28 days ago Updated 17 days ago

Entrust: S/MIME OrgID Country not matching C field

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: bruce.morton, Assigned: bruce.morton)

Details

(Whiteboard: [ca-compliance] [smime-misissuance] Next update 2024-10-01)

Attachments

(1 file)

smime_orgid_cert_list_20240826.csv
311 bytes, text/csv
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Preliminary Incident Report

Summary

Post-issuance linting identified three (3) S/MIME certificates where the jurisdiction of the organization represented in the Organization Identifier field did not represent the organization represented in the country field of the subject name as required by S/MIME BRs where section 7.1.4.2.8 states:

The CA SHALL:

  1. confirm that the organization represented by the Registration Reference is the same as the organization named in the organizationName field as specified in Section 7.1.4.2.1 within the context of the subject’s jurisdiction as specified in Section 7.1.4.2.4;

It was determined the certificates were mis-issued and must be revoked per S/MIME BR 4.9.1.1 item 11.

Impact

We identified three (3) S/MIME Sponsor-Validated certificates that were mis-issued where the jurisdiction of organization represented in the organization identifier field did not represent the organization represented in the country field of the subject name. These certificates were issued to Entrust as part of QA testing. The certificates will be revoked within the 5-day requirement.

Next steps

A full incident report including the root cause analysis, lessons learned, and action items will be posted per the CCADB full incident report requirement.

Assignee: nobody → bruce.morton
Status: NEW → ASSIGNED
Type: defect → task
Whiteboard: [ca-compliance] [smime-misissuance]

Affected certificates

Group: mozilla-employee-confidential

Currently working on final incident report.

We are currently working on he final incident report which will be posted 2024-09-06.

Incident Report

Summary

Post-issuance linting identified three (3) S/MIME certificates where the jurisdiction of the organization represented in the organization identifier field did not match the organization represented in the country field of the subject name as required by S/MIME BRs where section 7.1.4.2.8 states:

The CA SHALL:

  1. confirm that the organization represented by the Registration Reference is the same as the organization named in the organizationName field as specified in Section 7.1.4.2.1 within the context of the subject’s jurisdiction as specified in Section 7.1.4.2.4;

It was determined the certificates were mis-issued and must be revoked per S/MIME BR 4.9.1.1 item 11.

Impact

We identified three (3) S/MIME Sponsor-Validated certificates that were mis-issued where the jurisdiction of organization represented in the organization identifier field did not match the organization represented in the country field of the subject name. These certificates were issued to Entrust as part of QA testing. The certificates were revoked within the 5-day requirement.

Timeline

All times are UTC.

2024-08-23:

  • 19:09 Post-issuance pkilint logged a certificate error “cabf.smime.org_identifier_and_country_name_attribute_inconsistent”
  • 19:09 linting system emailed the error to Support and Development; a case was created in the Support system

2024-08-26:

  • 00:12 Support escalated case to development
  • 12:21 Compliance team was advised of a certificate issuance error.
  • 12:42 Compliance team confirmed the mis-issuance.
  • 14:00 Compliance Response Team met to review the incident
  • 14:02 It was determined that there was a verification issue, which allowed the organization identifier and the place of business to have different countries
  • 15:31 Determined that only one Entrust QA account was impacted by the organization identifier jurisdiction error
  • 16:53 Verification process updated to prevent organization identifier country inconsistency
  • 17:30 Compliance Response Team follow-up meeting
  • 22:05 All certificates were revoked.

Root Cause Analysis

Why was the organization identifier inconsistent with the place of business country?

The verification system did not check for consistency between the organization identifier and the place of business country fields.

Why was field consistency not checked?

When implementing the organization identifier, we overlooked the requirement for the registration reference to match other verified information, specifically the country value, as outlined in section 3.2.3 of the SMIME Baseline requirements.

Why was the requirement for the registration reference to match other verified information overlooked?

The EV Guidelines allow the jurisdiction country to be different to the place of business country. The S/MIME BR requirements gathering process assumed allowance of the inconsistency of the country for the registration reference (e.g., organization identifier) and other verified information (e.g., place of business country). Requirements gathering did not include full understanding of the S/MIME BRs to ensure the country values needed to be consistent.

Why were the S/MIME BRs not fully understood?

The requirements review and compliance process at the time of implementation did not ensure that each requirement in the S/MIME BRs was addressed.

Note: The Certificate Services Compliance Change Management Policy implemented effective July 2024 requires all compliance requirements to be explicitly listed, understood, and addressed.

Why were the mis-issued certificates not detected before signature?

The current S/MIME certificate issuance process does not produce a to-be-signed certificate (TBSCertificate) that can be linted pre-signing. As an interim solution, in our 14.0.1 release we updated our S/MIME issuance process to perform linting on certificates immediately after signing but before being made available to subscribers. When that change was deployed, the internal CPR design was not updated to notify the Support or Compliance teams immediately.

The upgrade to the S/MIME issuance is planned for our 14.1 release in November to make TBS Certificates available and to add linting to check for potential errors pre-signing.

Lessons Learned

What went well

  • Errors were detected by pkilint and the Subscribers were not provided with mis-issued certificates
  • The CPR was created, reviewed, and the mis-issued certificates revoked within the timelines required by the S/MIME BRs.

What didn't go well

  • The certificate validation system did not detect the jurisdiction inconsistency
  • Support did not immediately recognize the error email was a CPR

Where we got lucky

  • Error was limited to one account and 3 certificates which were assigned to the Entrust QA team

Action Items

Action Item Kind Due Date
Update certificate validation system to prevent jurisdiction inconsistency Prevent 2024-09-30
Ongoing training of all team leaders and personnel on the Certificate Services Compliance Change Management Policy Prevent 2024-09-30
Implement pre-sign linting for S/MIME Detect 2024-11-30

Appendix

Details of affected certificates

Affected certificates have been posted per comment #2.

Whiteboard: [ca-compliance] [smime-misissuance] → [ca-compliance] [smime-misissuance] Next update 2024-10-01
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: